Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS

A. Valdes, K. Skinner, Probabilistic Alert Correlation, LNCS, vol. 2212, Recent Advances in Intrusion Detection, RAID 2001, Springer-Verlag. P. Stephenson, The Application of Intrusion Detection Systems in a Forensic Environment, RAID 2000, Springer-Verlag, Berlin, Heidelberg. Schneier, 1999, Secure audit logs to support computer forensics, ACM Transactions on Information and System Security, 2, 159, 10.1145/317087.317089 M. Roesch, Snort – Lightweight Intrusion Detection for Networks. <http://www.Snort.org/docs/lisapaper.txt>. T.H. Ptacek, T.N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, January 1988. <http://www.Snort.org/docs/idspaper/>. <http://www.sdsc.edu/~peisert/research/peisert-dissertation.pdf>, 2007. P. Sommer, Intrusion Detection System as Evidence, in: Proc. of the First International Workshop on Recent Advances in Intrusion Detection (RAID), 1998. King, 2005, Backtracking intrusions, ACM Transactions on Computer Systems, 23, 51, 10.1145/1047915.1047918 S. Peisert, M. Bishop, S. Karin, K. Marzullo, Toward models for forensic analysis, in: Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, 2007, pp. 3–15, ISBN:0-7695-2808-2. A. Goel, W. Feng, D. Maier, J. Walpole, Forensix: a robust, high-performance reconstruction system, in: Proceedings of the 25th International Conference on Distributed Computing Systems Workshops, 2005, pp 155–162. B.K. Sy, H. Chan, Data mining approach for anomaly detection: a signature-based approach, in: Proceedings of the 2005 International Conference on Data Mining, Las Vegas, Nevada, June 20–23, 2005. D. Ellis, J. Aiken J.K. Attwood, S. Tenaglia, A behavioral approach to worm detection, in: Proceedings of the ACM Workshop on Rapid Malcode, 2004. S. Axelsson, Research in intrusion–detection systems: a survey, Technical Report 98-17, December, 1998. J. Doyle, I. Kohane, W. Long, H. Shrobe, P. Szolovits, Event recognition beyond signature and anomaly, in: Proceedings of 2001 IEEE Workshop on Information Assurance and Security, Wert Point, NY, June 2001, pp. 17–23. P. Roberts, Nai goes Forensic with Infinistream, InforWorld, February 2003. <http://www.infoworld.com/article/03/02/10/HNnai_1.html>. Sanstorm Enterprise: Netintercept, February 2003. <http://www.sandstorm.com/products/netintercept/>. K. Shanmugasundaram, N. Memon, A. Savant, H. Bronnimann, ForNet: a distributed forensics network, in: Second International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, LNCS 2776, Springer 2003, ISBN:3-540-40797-9. Wu, 1994, A Fast Algorithm for Multi-Pattern Searching Norton, 2004 S. Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, in: Proceedings of the ACM Conference on Computer and Communication Security, November 1999. <http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf>. N. Tuck, T. Sherwood, B. Calder, G. Varghese, Deterministic memory-efficient string matching algorithms for intrusion detection, in: Proceedings of the IEEE Infocom Conference, Hong Kong, China, March 2004. <http://www.endace.com/>. <http://www.nss.co.uk/grouptests/gigabitids/edition3/sourcefire/sourcefire.htm>. B.K. Sy, A. Gupta, Information-statistical Data Mining: Warehouse Integration with Examples of Oracle Basics, Kluwer Academic Publishing, 2003/2004, ISBN:1-4020-7650-9. Kuenzi, 1971 M.T. Health, Scientific Computing: An Introduction Survey, McGraw Hill, 1997, ISBN:0-07-027684-6. <http://www.qcwireless.net/dids_paper/svd_mechanism_illustration.pdf>. W.H. Press, B.P. Flannery, S.A. Teukolsky, W.T. Vetterling, Numerical Recipes in C: The Art of Scientific Computing, second edition, Cambridge University Press, 1992, ISBN:0-521-43108-5. B.K. Sy, Probability model selection using information-theoretic optimization criterion, The Journal of Statistical Computation and Simulation 69(3) (2001) 203–224 (also US Patent 6,961,685). <http://www.Snort.org/rules/>. <http://www.bleedingSnort.com/bleeding-all.rules>. <http://www.qcwireless.net/dids_paper/online_appendix.pdf>. B.K. Sy, N. Mullodzhanov, Extracting forensic explanation from intrusion alerts, in: Proc. of 2006 International Conference on Data Mining (DMIN’06), Las Vegas, Nevada, June 2006. H. Debar, M. Dacier, A. Wepsi, A Revised Taxonomy for Intrusion–Detection Systems, IBM Research Report, 1999. Han, 2001 Duda, 2001